Security Enhancements: Policy Documentation, Automation & Alert Fixes#5049
Security Enhancements: Policy Documentation, Automation & Alert Fixes#5049akabarki76 wants to merge 76 commits intogoogle-gemini:mainfrom
Conversation
Signed-off-by: Mustapha BARKI <code4yo@gmail.com>
Create SECURITY.md
Create SECURITY.md
Signed-off-by: Mustapha BARKI <code4yo@gmail.com>
Add files via upload
Signed-off-by: Mustapha BARKI <code4yo@gmail.com>
Create security.md
Signed-off-by: Mustapha BARKI <code4yo@gmail.com>
Your revamped SECURITY.md is a major step forward—so much clearer and user-centric now. A few extra polish items and optional extras you might consider:
1. Add a PGP Fingerprint for Encrypted Reports
If you handle truly sensitive disclosures, publishing a PGP key (or its fingerprint) up front lets researchers encrypt their findings before emailing you. Example:
```markdown
**PGP Key:**
```
4096-bit RSA Key Fingerprint: ABCD EFGH IJKL MNOP QRST UVWX YZ01 2345 6789 0ABC
```
2. CVE & Advisory Workflow
Clarify how you assign CVEs or GitHub Security Advisories:
```markdown
## Advisory Publication
- We assign CVEs via GitHub’s advisory system.
- We’ll link the public advisory here once available:
https://github.com/google-gemini/gemini-cli/security/advisories
```
3. Severity Classification
A simple severity table can help triage incoming reports:
```markdown
| Severity | Description |
| -------- | ------------------------------------- |
| Critical | Remote code execution, data exposure |
| High | Privilege escalation, DoS |
| Medium | Non-critical information disclosure |
| Low | Cosmetic issues, minor leaks |
```
4. Dependency & Supply-Chain Notices
If you consume major third-party libraries, note how you handle vulnerabilities there. E.g., “We triage Dependabot alerts within 5 business days.”
5. Link to Code of Conduct or Responsible Disclosure Guidelines
Embedding a short line to your project’s overall code of conduct can signal your community values:
```markdown
For complete disclosure guidelines, see [CODE_OF_CONDUCT.md](./CODE_OF_CONDUCT.md).
```
6. Automate Security-Policy Checks (Optional CI)
You already have a placeholder check—consider extending it to:
- Validate the PGP fingerprint is present
- Ensure your Advisory URL is correct
- Confirm severity table contains all four levels
---
With these additions, you’ll cover every angle—from encrypted reporting to CVE handling and process transparency. Let me know if you’d like:
- A ready-to-go GitHub Action for PGP-and-Advisory checks
- A full CVE-assignment & triage template
- A vulnerability severity calculator script
- Anything else to lock down your security process!
Signed-off-by: Mustapha BARKI <code4yo@gmail.com>
Create dependabot.yml
…structed from library input Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> Signed-off-by: Mustapha BARKI <code4yo@gmail.com>
Potential fix for code scanning alert no. 9: Unsafe shell command constructed from library input
…structed from library input Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> Signed-off-by: Mustapha BARKI <code4yo@gmail.com>
Potential fix for code scanning alert no. 7: Unsafe shell command constructed from library input
automation
|
Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA). View this failed invocation of the CLA check for more information. For the most up to date status, view the checks section at the bottom of the pull request. |
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Summary of Changes
Hello @akabarki76, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!
This pull request significantly bolsters the project's security posture by establishing foundational security policies, automating vulnerability detection and dependency management, and directly patching critical security flaws related to URL handling and shell command execution. It also includes substantial synchronization with the upstream repository to maintain codebase currency.
Highlights
- Security Policy & Automation: Introduced formal security policy documentation (
SECURITY.md,security.md) and automated security practices including Dependabot for dependency vulnerability monitoring and a GitHub Actions workflow for security policy validation. - Critical Vulnerability Fixes: Addressed three critical code scanning alerts by improving URL sanitization in
packages/core/src/tools/web-fetch.tsto prevent potential SSRF/phishing risks, and by enhancing shell command safety inpackages/core/src/utils/editor.tsto mitigate command injection vulnerabilities. - Upstream Synchronization: Incorporated numerous upstream changes from
google-gemini/mainto keep the codebase up-to-date and integrated GitHub Advanced Security for automated alert resolution.
Using Gemini Code Assist
The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.
Invoking Gemini
You can request assistance from Gemini at any point in your pull request via creating an issue comment (i.e. comment on the pull request page) using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands.
| Feature | Command | Description |
|---|---|---|
| Code Review | /gemini review |
Performs a code review for the current pull request in its current state. |
| Pull Request Summary | /gemini summary |
Provides a summary of the current pull request in its current state. |
| Comment | @gemini-code-assist | Responds in comments when explicitly tagged, both in issue comments and review comments. |
| Help | /gemini help |
Displays a list of available commands. |
Customization
To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.
Limitations & Feedback
Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments or fill out our survey to provide feedback.
You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.
Footnotes
-
Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩
There was a problem hiding this comment.
Code Review
This pull request introduces several security enhancements, including adding a Dependabot configuration, security policy documentation, and fixing code scanning alerts related to URL sanitization and command injection.
My review focuses on the correctness and completeness of these security fixes and configurations. While the changes are a significant step forward, there are a few critical issues that need to be addressed:
- The Dependabot configuration is incomplete and will not function as is.
- The security policy documents are either placeholders or malformed and duplicated.
- A fix for a command injection vulnerability in
editor.tshas introduced a new bug and a compilation error by incorrectly using shell quoting where it's no longer needed. - The URL sanitization fix in
web-fetch.tshas a logic flaw in its error handling for invalid URLs.
These issues should be addressed to ensure the security enhancements are effective and the code is robust.
|
|
||
| version: 2 | ||
| updates: | ||
| - package-ecosystem: "" # See documentation for possible values |
There was a problem hiding this comment.
The package-ecosystem is not specified. For Dependabot to work on this repository, you need to set this to npm since this is a Node.js project using npm for package management. Without this, Dependabot will not be able to find and update dependencies.
- package-ecosystem: "npm" # See documentation for possible values
| shellQuote.quote([oldPath]), | ||
| shellQuote.quote([newPath]), |
There was a problem hiding this comment.
The use of shellQuote.quote() here is incorrect and will cause issues.
- Compilation Error:
shellQuoteis not imported in this file, so this will cause a compilation error. - Incorrect Usage: Other changes in this PR correctly remove
shell: truefromspawnand replaceexecSyncwithexecFileSync. These changes mean that arguments are passed directly to the executable without shell interpretation. Therefore, shell-quoting the paths is not necessary and is actually harmful. The editor will receive the path with quotes as part of the filename (e.g.,'path/to/file'), which will prevent it from opening files with spaces or special characters in their paths.
The arguments should be passed without quoting.
| shellQuote.quote([oldPath]), | |
| shellQuote.quote([newPath]), | |
| oldPath, | |
| newPath, |
| Use this section to tell people about which versions of your project are | ||
| currently being supported with security updates. | ||
|
|
||
| | Version | Supported | | ||
| | ------- | ------------------ | | ||
| | 5.1.x | :white_check_mark: | | ||
| | 5.0.x | :x: | | ||
| | 4.0.x | :white_check_mark: | | ||
| | < 4.0 | :x: | | ||
|
|
||
| ## Reporting a Vulnerability | ||
|
|
||
| Use this section to tell people how to report a vulnerability. | ||
|
|
||
| Tell them where to go, how often they can expect to get an update on a | ||
| reported vulnerability, what to expect if the vulnerability is accepted or | ||
| declined, etc. |
There was a problem hiding this comment.
This security policy file contains only placeholder text. To be effective, it needs to be filled out with the project's specific details. Please replace the template content with the actual security policy, including which versions are supported and the precise process for reporting vulnerabilities. An incomplete policy can be misleading to users and contributors.
| const urls = extractUrls(params.prompt).map((url) => { | ||
| if (url.includes('github.com') && url.includes('/blob/')) { | ||
| return url | ||
| .replace('github.com', 'raw.githubusercontent.com') | ||
| .replace('/blob/', '/'); | ||
| try { | ||
| const parsedUrl = new URL(url); | ||
| if (parsedUrl.hostname === 'github.com' && url.includes('/blob/')) { | ||
| return url | ||
| .replace('github.com', 'raw.githubusercontent.com') | ||
| .replace('/blob/', '/'); | ||
| } | ||
| } catch (e) { | ||
| // If URL parsing fails, ignore this URL | ||
| console.error(`Invalid URL encountered: ${url}`); | ||
| } | ||
| return url; | ||
| }); |
There was a problem hiding this comment.
The current implementation for handling invalid URLs is problematic. If new URL(url) throws an exception, the catch block logs an error, but then the original, invalid url is returned from the map function. This contradicts the comment "If URL parsing fails, ignore this URL" and can lead to downstream errors if other parts of the code expect a valid URL.
A better approach is to filter out invalid URLs completely. You can achieve this by using reduce to build a new array containing only valid URLs.
const urls = extractUrls(params.prompt).reduce<string[]>((acc, url) => {
try {
const parsedUrl = new URL(url);
if (parsedUrl.hostname === 'github.com' && url.includes('/blob/')) {
acc.push(
url
.replace('github.com', 'raw.githubusercontent.com')
.replace('/blob/', '/')
);
} else {
acc.push(url);
}
} catch (e) {
// If URL parsing fails, this URL is skipped.
console.error(`Invalid URL encountered and skipped: ${url}`);
}
return acc;
}, []);| ## Supported Versions | ||
|
|
||
| -The following versions are currently supported with security updates: | ||
| - | ||
| -| Version | Supported | | ||
| -| ------- | :-------: | | ||
| -| 1.0.x | ✅ | | ||
| -| 2.0.x | ✅ | | ||
| +The following versions are currently supported with security updates: | ||
| + | ||
| +| Version | Supported? | | ||
| +| ---------- | :--------: | | ||
| +| 0.1.x | ✅ | | ||
| +| 0.2.x | (when released) | | ||
|
|
There was a problem hiding this comment.
This file appears to be a duplicate of SECURITY.md and its content is malformed, looking like a diff with + and - characters. This can be very confusing for anyone looking for the security policy.
Please consolidate the security policy into a single, correctly formatted SECURITY.md file (which is the standard) and remove this security.md file.
gemini-cli
Bot
added
kind/bug
priority/p1
|
Hi, thank you for your contribution. I've added a more customized dependabot.yml. A few of your other edits seem like they're placeholder files or duplicates of existing files. I am going to close this PR. Feel free to open another one with more targeted edits. |
2 participants
TLDR
Security enhancements including policy documentation, automated security checks, dependency management, and fixes for 3 code scanning alerts. Addresses critical feedback from initial review.
Dive Deeper
Key Improvements
Security Policy & Automation
Critical Vulnerability Fixes
Repository Maintenance
Review Feedback Addressed
Reviewer Test Plan
Security Policy Verification
Alert Fix Validation